LocPass: A Graphical Password Method to Prevent Shoulder-Surfing

Graphical passwords are a method of authentication in computer security. Computer security is one of the disciplines of computer science. Shoulder-surfing attacks are a well-known threat to graphical passwords, although is getting commonly used especially in granting access for a secure system. Shoulder-surfing occurs when attackers skillfully capture important data/activities, such as login passwords, via direct observation or video recording methods. Many methods have been proposed to overcome the problem of shoulder-surfing attacks. After we reviewed some related works, we found out that most of the existing methods are still vulnerable to multiple observations and video-recorded shoulder-surfing attacks. Thus, we propose a new method to combat this problem. In our proposed method, we make used of two concepts to combat shoulder-surfing attacks. In the first concept, we used registered locations (something that only the users know) and 5 image directions (something that the users can see) to determine a pass-location (new knowledge). Secondly, the images used in our proposed method have higher chances to offset each other. The idea of offset could increase the password spaces of our proposed method if an attacker intended to guess the registered location used. By combining these two concepts, the pass-location produced by our proposed method in each challenge set could be varied. Therefore, it is impossible for the attackers to shoulder-surf any useful information such as the images/locations clicked by the user in each challenge set. A user study was conducted to evaluate the capabilities of the proposed method to prevent shoulder-surfing attacks. The shoulder-surfing testing results indicated that none of the participants were able to login, although they knew the underlying algorithm and they have been given sufficient time to perform a shoulder-surfing attack. Therefore, the proposed method has proven it can prevent shoulder-surfing attacks, provided the enrolment procedure is carried out in a secure manner.

Alphanumeric passwords are the foremost and primary form of user authentication [13].This form is easy to implement and has been used widely from the past up to today [14].A secure password must be random and easy to remember [1].However, a secure password that is made up of a random string (e.g., upper and lower cases, used special characters, must have at least eight characters long) is difficult for users to memorise.Therefore, the graphical password was introduced as an alternative to help users to memorise their password better [15].
Graphical passwords are a method of authentication in computer security.Computer security is one of the disciplines of computer science.Graphical passwords leverage human memory, since the human brain has significant memory capabilities to recognise and recall visual images [3,15].The belief is that with a graphical password, a user can register random and secure password and still have no difficulty in remembering the registered password [3].
Fundamentally, graphical passwords can be divided into three forms, namely, recall, cued-recall and recognition-based systems [3].Recall systems entail the users reproducing the previously drawn password object (e.g., a picture, icon, image, or shape).In cued-recall systems, users are presented with images and are required to click on previously registered points.In recognition-based systems, to login users need to recognise a set of registered objects and identify certain objects or pass-objects from among other decoy objects displayed [1][2][3][4][5][6][7][8][9][10][11][12].
In this study, we focus only on the recognition-based systems because these systems are less complex, and they have been implemented in many security systems, such as online banking systems [2].The following is a review of selected related works on recognition-based systems.

Related Work
WYSWYE ("Where You See is What You Enter") was proposed by Khot et al. [5] (see Figure 1).There are two main procedures in this system-registration and authentication.During registration, a user is required to register four images from the 28 images shown.During authentication, a random image grid and an empty grid are generated and placed side by side on a login screen.The random image grid or the challenge grid consists of password images and decoy images.The empty grid or the response grid is used to acquire input from users.Users are required to use the challenge grid to find the required positions.After that, the users are required to apply the identified positions on the response grid.
According to [5], WYSWYE is able to prevent shoulder-surfing attack because attackers who are peeping over the shoulder or monitoring with hidden cameras/screen scrapper programs could only see the random positions clicked in the challenge set.However, this method has a weakness whereby each of the boxes in the respond grid is associated with 4 boxes at the challenge grid.For example in Figure 1d, box No. 1 in the respond grid is associated with A, B, F and G boxes in the challenge grid; box No. 2 is associated B, C, G and H boxes; box No. 3 is associated with C, D, H and I boxes; box No. 4 is associated with D, E, I and J boxes; box No. 5 is associated with F, G, K and L boxes; box No. 6 is associated with G, H, L and M boxes; box No. 7 is associated with H, I, M and N boxes; box No. 8 is associated with I, J, N and O boxes; box No. 9 is associated with K, L, P and Q boxes; box No. 10 is associated with L, M, Q and R boxes; box No. 11 is associated with M, N, R and S boxes; box No. 12 is associated with N, O, S and T boxes; box No. 13 is associated with P, Q, U and V boxes; box No. 14 is associated with Q, R, V and W boxes; box No. 15 is associated with R, S, W and X boxes; box No. 16 is associated with S, T, X and Y boxes.Therefore, attackers could observe the clicked images and filter out the decoy images in each challenge set.After multiple observations, the attackers might be able to work out the registered images.In other words, this scheme is still vulnerable to shoulder-surfing attack as the attackers can login as legitimate users by filtering out the decoy images after multiple observations [16].
a user is required to register four images from the 28 images shown.During authentication, a random image grid and an empty grid are generated and placed side by side on a login screen.The random image grid or the challenge grid consists of password images and decoy images.The empty grid or the response grid is used to acquire input from users.Users are required to use the challenge grid to find the required positions.After that, the users are required to apply the identified positions on the response grid.According to [5], WYSWYE is able to prevent shoulder-surfing attack because attackers who are peeping over the shoulder or monitoring with hidden cameras/screen scrapper programs could only see the random positions clicked in the challenge set.However, this method has a weakness whereby each of the boxes in the respond grid is associated with 4 boxes at the challenge grid.For example in Figure 1d 16 is associated with S, T, X and Y boxes.Therefore, attackers could observe the clicked images and filter out the decoy images in each challenge set.After multiple observations, the attackers might be able to work out the registered images.In other words, this scheme is still vulnerable to shoulder-surfing attack as the attackers can login as legitimate users by filtering out the decoy images after multiple observations [16].
Ho et al. proposed a method that allows both registered and decoy images to be used as the challenge set's input in 2014 [17] (see Figure 2).During the registration procedure, the user is required to register several images.The user is required to remember the sequence of the registered images.During the authentication procedure, a pass-image is obtained using the starting image, the cued image, and the proposed algorithm.Initially, the first registered image and second registered image are used as the starting image and the cued image respectively.After that, the pass-image is obtained using the proposed method.In the proposed method, the user is required to determine whether the cued image is on the imaginary half-line.If the cued image is not on the imaginary half-line, the amount of offset is fixed to one.Therefore, the immediate image after the starting image along the imaginary half-line is the pass-image.If the cued image is on the imaginary Ho et al. proposed a method that allows both registered and decoy images to be used as the challenge set's input in 2014 [17] (see Figure 2).During the registration procedure, the user is required to register several images.The user is required to remember the sequence of the registered images.During the authentication procedure, a pass-image is obtained using the starting image, the cued image, and the proposed algorithm.Initially, the first registered image and second registered image are used as the starting image and the cued image respectively.After that, the pass-image is obtained using the proposed method.In the proposed method, the user is required to determine whether the cued image is on the imaginary half-line.If the cued image is not on the imaginary half-line, the amount of offset is fixed to one.Therefore, the immediate image after the starting image along the imaginary half-line is the pass-image.If the cued image is on the imaginary half-line, the user is required to check if the cued image is the last image on the imaginary half-line.If the cued image is not the last image on the imaginary half-line, the maximum offset is applied.Therefore, the last image along the imaginary half-line is the pass-image.If the cued image is the last image on the imaginary half-line, the amount of offset is reduced by one.Therefore, the image before the last image along the imaginary half-line is the pass-image.To determine the subsequent pass-image, the same method is used just that the current pass-image will be used as the starting image and the next registered image will be used as the cued image.This process is repeated until the final pass-image is obtained.To login, the user is required to click on the final pass-image.According to [17], this method can prevent direct observation attacks.However, when multiple sessions are video-recorded the system is vulnerable to reverse engineering attacks [18].Reverse engineering attacks exploit the fact that the registered images used in a challenge set are constant.Reverse engineering attack can be performed by ruling out some images that could not be the last cued image.After that, an attacker can obtain the remaining registered images by finding out the last starting image or ruling out more images.Therefore, attackers can find out the registered images and login as legitimate users.
Gokhale & Waghmare proposed a graphical password method in 2016 [19] (see Figure 3).During registration, a user is required to register several images from a list of 25 images.The user has to register at least six images, and the number of registered images must be even number.The user is required to remember the sequence of registered images.To make it easier for the user, a panel is used to display the selected registered images.However, these images will disappear after 5 seconds.After that, the user is required to choose the question from the question pool.Each question has a number associated with it.After selecting the question, the user is required to register a location as the answer to the question.The user can upload a background image from local storage or use one of the 25 images given by the system to make it easier for the user to memorise the selected location.The user is required to register three locations and each location must be associated with a question.During the authentication procedure, the user needs to obtain several pass-images using the registered images.To identify the location of the first pass-image, the first registered image is used to determine row information and the second registered image is used to determine column information.The intersection image is the first pass-image.This process is repeated for all of the pairs of registered images.After that, the user is presented with the three sets of registered questions randomly.The user is required to answer the questions by clicking on the locations associated with these questions during registration.According to [17], this method can prevent direct observation attacks.However, when multiple sessions are video-recorded the system is vulnerable to reverse engineering attacks [18].Reverse engineering attacks exploit the fact that the registered images used in a challenge set are constant.Reverse engineering attack can be performed by ruling out some images that could not be the last cued image.After that, an attacker can obtain the remaining registered images by finding out the last starting image or ruling out more images.Therefore, attackers can find out the registered images and login as legitimate users.
Gokhale & Waghmare proposed a graphical password method in 2016 [19] (see Figure 3).During registration, a user is required to register several images from a list of 25 images.The user has to register at least six images, and the number of registered images must be even number.The user is required to remember the sequence of registered images.To make it easier for the user, a panel is used to display the selected registered images.However, these images will disappear after 5 seconds.After that, the user is required to choose the question from the question pool.Each question has a number associated with it.After selecting the question, the user is required to register a location as the answer to the question.The user can upload a background image from local storage or use one of the 25 images given by the system to make it easier for the user to memorise the selected location.The user is required to register three locations and each location must be associated with a question.During the authentication procedure, the user needs to obtain several pass-images using the registered images.To identify the location of the first pass-image, the first registered image is used to determine row information and the second registered image is used to determine column information.The intersection image is the first pass-image.This process is repeated for all of the pairs of registered images.After that, the user is presented with the three sets of registered questions randomly.The user is required to answer the questions by clicking on the locations associated with these questions during registration.According to [19], this scheme is easy to use and can prevent shoulder-surfing attacks.However, since the locations are fixed, attackers can shoulder-surf the clicked locations easily [16].Also, the attackers can filter out the registered images after multiple observations.This means that this scheme is still vulnerable to shoulder-surfing attacks.According to [19], this scheme is easy to use and can prevent shoulder-surfing attacks.However, since the locations are fixed, attackers can shoulder-surf the clicked locations easily [16].Also, the attackers can filter out the registered images after multiple observations.This means that this scheme is still vulnerable to shoulder-surfing attacks.
Por et al. proposed a method that used digraph substitution rules in 2017 [1] (see Figure 4).During the registration procedure, the user is required to register two images.After that, the user is required to register either to use the first pass-image or the second pass-image to login.During authentication, the user is required to select a pass-image to login using digraph substitution rules.
the underlying algorithm, they can easily trace the images clicked and obtain information about the registered images via multiple shoulder-surfer sessions [18].
3D graphical user authentication (GUA) was proposed by [20] (see Figure 5).During registration, the user is required to register five images from 150 images.These images are distributed on 6 polygons that consist of 5 × 5 grids at each polygon.During authentication, the user is required to identify and click the registered images by rotating the polygon.User interface of 3D graphical user authentication (GUA) system (adopted from [20]).
According to [20], this system is easy to use and can prevent shoulder-surfing attacks.However, from our perspective, this system is vulnerable to shoulder-surfing attacks because the According to [1], this scheme can prevent shoulder-surfing attacks.However, if attackers know the underlying algorithm, they can easily trace the images clicked and obtain information about the registered images via multiple shoulder-surfer sessions [18].
3D graphical user authentication (GUA) was proposed by [20] (see Figure 5).During registration, the user is required to register five images from 150 images.These images are distributed on 6 polygons that consist of 5 × 5 grids at each polygon.During authentication, the user is required to identify and click the registered images by rotating the polygon.Por et al. proposed a method that used digraph substitution rules in 2017 [1] (see Figure 4).During the registration procedure, the user is required to register two images.After that, the user is required to register either to use the first pass-image or the second pass-image to login.During authentication, the user is required to select a pass-image to login using digraph substitution rules.
According to [1], this scheme can prevent shoulder-surfing attacks.However, if attackers know the underlying algorithm, they can easily trace the images clicked and obtain information about the registered images via multiple shoulder-surfer sessions [18].
3D graphical user authentication (GUA) was proposed by [20] (see Figure 5).During registration, the user is required to register five images from 150 images.These images are distributed on 6 polygons that consist of 5 × 5 grids at each polygon.During authentication, the user is required to identify and click the registered images by rotating the polygon.User interface of 3D graphical user authentication (GUA) system (adopted from [20]).
According to [20], this system is easy to use and can prevent shoulder-surfing attacks.However, from our perspective, this system is vulnerable to shoulder-surfing attacks because the User interface of 3D graphical user authentication (GUA) system (adopted from [20]).
According to [20], this system is easy to use and can prevent shoulder-surfing attacks.However, from our perspective, this system is vulnerable to shoulder-surfing attacks because the images clicked by the user are the registered images.Therefore, attackers can shoulder-surf the clicked images and use them to login.
Sun et al. proposed PassMatrix that used image discretisation algorithm in 2018 [21] (see Figure 6).During the registration procedure, a user is required to select several images.Each of the selected images is converted into puzzles using an image discretisation algorithm.After that, the user is required to register one puzzle as the pass-image for each of the selected images.During authentication, a login indicator is generated.The login indicator is comprised of a letter and a number.After that, the random puzzles of the first selected image are shown.Each puzzle is associated with a letter at the horizontal bar and a number at the vertical bar.The user is required to shift the letter to the column on the horizontal bar and the number to the row on the vertical bar for each of the pre-selected puzzles.This process is repeated for all of the selected images.
clicked images and use them to login.
Sun et al. proposed PassMatrix that used image discretisation algorithm in 2018 [21] (see Figure 6).During the registration procedure, a user is required to select several images.Each of the selected images is converted into puzzles using an image discretisation algorithm.After that, the user is required to register one puzzle as the pass-image for each of the selected images.During authentication, a login indicator is generated.The login indicator is comprised of a letter and a number.After that, the random puzzles of the first selected image are shown.Each puzzle is associated with a letter at the horizontal bar and a number at the vertical bar.The user is required to shift the letter to the column on the horizontal bar and the number to the row on the vertical bar for each of the pre-selected puzzles.This process is repeated for all of the selected images.
According to [21], this system can prevent shoulder-surfing attacks.However, we still believe that this system is vulnerable to shoulder-surfing attacks due to the fact that the selected images and the puzzles are fixed, and attackers can shoulder-surf the pre-selected puzzle in each of the selected images to login after multiple observations.Our review of the literature shows that there is still room for improvement in preventing shoulder-surfing attacks.Therefore, it is important to explore more methods to overcome this drawback.Hence, this research was carried out to overcome shoulder-surfing attacks, especially those using video-recording methods and multiple methods.

Proposed Method
The proposed method consists of two procedures-registration and authentication.

Registration Procedure
During the registration procedure, the user is required to register a User-ID and re-confirm the User-ID.After the User-ID registration process, the user is given a 5 × 5 grid (see Figure 7).The user is required to register at least one location from the given grid.The user can register the same location more than one time.The user is allowed to register up to N location, where N is the maximum number of locations that the user can remember.The user is also allowed to register the same location more than one time.After selection, the user is required to reconfirm the selected location.The password registration process is considered complete once the registered locations are saved in the database.Figure 8 shows a sample of registered locations and their order.According to [21], this system can prevent shoulder-surfing attacks.However, we still believe that this system is vulnerable to shoulder-surfing attacks due to the fact that the selected images and the puzzles are fixed, and attackers can shoulder-surf the pre-selected puzzle in each of the selected images to login after multiple observations.
Our review of the literature shows that there is still room for improvement in preventing shoulder-surfing attacks.Therefore, it is important to explore more methods to overcome this drawback.Hence, this research was carried out to overcome shoulder-surfing attacks, especially those using video-recording methods and multiple methods.

Proposed Method
The proposed method consists of two procedures-registration and authentication.

Registration Procedure
During the registration procedure, the user is required to register a User-ID and re-confirm the User-ID.After the User-ID registration process, the user is given a 5 × 5 grid (see Figure 7).The user is required to register at least one location from the given grid.The user can register the same location more than one time.The user is allowed to register up to N location, where N is the maximum number of locations that the user can remember.The user is also allowed to register the same location more than one time.After selection, the user is required to reconfirm the selected location.The password registration process is considered complete once the registered locations are saved in the database.Figure 8 shows a sample of registered locations and their order.

Authentication Procedure
During the authentication procedure, the user is required to enter the registered User-ID.After that, a challenge set that consists of a 5 × 5 grid is shown (see Figure 9).Five unique images (solid sphere, up arrow, down arrow, left arrow and right arrow) are used in every challenge set.There are 25 images used in total (1 Solid sphere image and 6 images for each of the different arrow).Uniform randomisation algorithm is used to select the images and the selected images are placed in the 5 × 5 grid cell.The user is required to use the proposed method to get the pass-location to login.

Authentication Procedure
During the authentication procedure, the user is required to enter the registered User-ID.After that, a challenge set that consists of a 5 × 5 grid is shown (see Figure 9).Five unique images (solid sphere, up arrow, down arrow, left arrow and right arrow) are used in every challenge set.There are 25 images used in total (1 Solid sphere image and 6 images for each of the different arrow).Uniform randomisation algorithm is used to select the images and the selected images are placed in the 5 × 5 grid cell.The user is required to use the proposed method to get the pass-location to login.

Authentication Procedure
During the authentication procedure, the user is required to enter the registered User-ID.After that, a challenge set that consists of a 5 × 5 grid is shown (see Figure 9).Five unique images (solid sphere, up arrow, down arrow, left arrow and right arrow) are used in every challenge set.There are 25 images used in total (1 Solid sphere image and 6 images for each of the different arrow).Uniform randomisation algorithm is used to select the images and the selected images are placed in the 5 × 5 grid cell.The user is required to use the proposed method to get the pass-location to login.

Proposed Method
The proposed method uses the cardinal direction concept to prevent shoulder-surfing attack [22].There are four main cardinal directions in a compass-north, south, east and west.These four directions are also known as the cardinal points.Up arrow, down arrow, right arrow and left arrow are used in the proposed method to replace the north, south, east, and west directions respectively.To obtain the pass-location, firstly, the user is required to find the start image for navigation.The start image is represented by a solid sphere image, as highlighted in Figure 10.After that, the user is required to identify the image shown at each of the registered location.Then, the user is required to use the direction of the image to navigate from the Start image based on the five navigation movements-upward movement, downward movement, backward movement, forward movement and no movement.

Proposed Method
The proposed method uses the cardinal direction concept to prevent shoulder-surfing attack [22].There are four main cardinal directions in a compass-north, south, east and west.These four directions are also known as the cardinal points.Up arrow, down arrow, right arrow and left arrow are used in the proposed method to replace the north, south, east, and west directions respectively.To obtain the pass-location, firstly, the user is required to find the start image for navigation.The start image is represented by a solid sphere image, as highlighted in Figure 10.After that, the user is required to identify the image shown at each of the registered location.Then, the user is required to use the direction of the image to navigate from the Start image based on the five navigation movements-upward movement, downward movement, backward movement, forward movement and no movement.

Proposed Method
The proposed method uses the cardinal direction concept to prevent shoulder-surfing attack [22].There are four main cardinal directions in a compass-north, south, east and west.These four directions are also known as the cardinal points.Up arrow, down arrow, right arrow and left arrow are used in the proposed method to replace the north, south, east, and west directions respectively.To obtain the pass-location, firstly, the user is required to find the start image for navigation.The start image is represented by a solid sphere image, as highlighted in Figure 10.After that, the user is required to identify the image shown at each of the registered location.Then, the user is required to use the direction of the image to navigate from the Start image based on the five navigation movements-upward movement, downward movement, backward movement, forward movement and no movement.Upward movement: if an up arrow image is shown at the registered location, the pass-location is one location upward from the on-focus location (see Figure 11a).The on-focus location in this scenario is the start image.If the on-focus location is located at the top-edge of the grid cell, the pass-location is wrapped around to the bottom of the column (see Figure 11b).The direction of the movement is shown in green arrows, the on-focus location is highlighted in red boxes and the pass-location is highlighted in blue boxes.Upward movement: if an up arrow image is shown at the registered location, the pass-location is one location upward from the on-focus location (see Figure 11a).The on-focus location in this scenario is the start image.If the on-focus location is located at the top-edge of the grid cell, the pass-location is wrapped around to the bottom of the column (see Figure 11b).The direction of the movement is shown in green arrows, the on-focus location is highlighted in red boxes and the pass-location is highlighted in blue boxes.Downward movement: if a down arrow image is shown at the registered location, the pass-location is one location downward from the on-focus location (see Figure 12a).If the on-focus location is located at the bottom-edge of the grid cell, the pass-location is wrapped around to the top of the column (see Figure 12b).Downward movement: if a down arrow image is shown at the registered location, the pass-location is one location downward from the on-focus location (see Figure 12a).If the on-focus location is located at the bottom-edge of the grid cell, the pass-location is wrapped around to the top of the column (see Figure 12b).Upward movement: if an up arrow image is shown at the registered location, the pass-location is one location upward from the on-focus location (see Figure 11a).The on-focus location in this scenario is the start image.If the on-focus location is located at the top-edge of the grid cell, the pass-location is wrapped around to the bottom of the column (see Figure 11b).The direction of the movement is shown in green arrows, the on-focus location is highlighted in red boxes and the pass-location is highlighted in blue boxes.Downward movement: if a down arrow image is shown at the registered location, the pass-location is one location downward from the on-focus location (see Figure 12a).If the on-focus location is located at the bottom-edge of the grid cell, the pass-location is wrapped around to the top of the column (see Figure 12b).Backward movement: if a left arrow image is shown at the registered location, the pass-location is one location backward from the on-focus location (see Figure 13a).If the on-focus location is located at the left-edge of the grid cell, the pass-location is wrapped around to the rightmost column (see Figure 13b).Backward movement: if a left arrow image is shown at the registered location, the pass-location is one location backward from the on-focus location (see Figure 13a).If the on-focus location is located at the left-edge of the grid cell, the pass-location is wrapped around to the rightmost column (see Figure 13b).Forward movement: if a right arrow image is shown at the registered location, the pass-location is one location forward from the on-focus location (see Figure 14a).If the on-focus location is located at the right-edge of the grid cell, the pass-location is wrapped around to the leftmost column (see Figure 14b).Forward movement: if a right arrow image is shown at the registered location, the pass-location is one location forward from the on-focus location (see Figure 14a).If the on-focus location is located at the right-edge of the grid cell, the pass-location is wrapped around to the leftmost column (see Figure 14b).Backward movement: if a left arrow image is shown at the registered location, the pass-location is one location backward from the on-focus location (see Figure 13a).If the on-focus location is located at the left-edge of the grid cell, the pass-location is wrapped around to the rightmost column (see Figure 13b).Forward movement: if a right arrow image is shown at the registered location, the pass-location is one location forward from the on-focus location (see Figure 14a).If the on-focus location is located at the right-edge of the grid cell, the pass-location is wrapped around to the leftmost column (see Figure 14b).No movement: if a solid sphere image is shown at the registered location, the pass-location is remained at the same location as the on-focus location (see Figure 15).Hence, there is no movement required.No movement: if a solid sphere image is shown at the registered location, the pass-location is remained at the same location as the on-focus location (see Figure 15).Hence, there is no movement required.A sample challenge round is used to illustrate the proposed method (see Figure 16).that a user has registered five locations and their order are highlighted as in Figure 16, to obtain the pass-location, firstly, the user is required to find the start location.The start location is the location shown with a solid sphere image.After that, the user is required to identify the image shown at each of the registered locations.The first registered location is a solid sphere image.Therefore, the pass-location remains at the same location as the on-focus location.Hence, there is no movement required (see Figure 17a).Next, the second registered location is detected.The proposed method will convert the pass-location to the on-focus location.The left arrow image shown at second registered location is used to determine the new pass-location.Since the on-focus location is located at the left-edge of the grid cell, the pass-location is wrapped around to the rightmost column after moving one location backward (see Figure 17b).Since, the third registered location is detected, the pass-location is converted to the on-focus location.The image shown at the third registered location is used to determine the new A sample challenge round is used to illustrate the proposed method (see Figure 16).Assuming that a user has registered five locations and their order are highlighted as in Figure 16, to obtain the pass-location, firstly, the user is required to find the start location.The start location is the location shown with a solid sphere image.After that, the user is required to identify the image shown at each of the registered locations.No movement: if a solid sphere image is shown at the registered location, the pass-location is remained at the same location as the on-focus location (see Figure 15).Hence, there is no movement required.A sample challenge round is used to illustrate the proposed method (see Figure 16).Assuming that a user has registered five locations and their order are highlighted as in Figure 16, to obtain the pass-location, firstly, the user is required to find the start location.The start location is the location shown with a solid sphere image.After that, the user is required to identify the image shown at each of the registered locations.The first registered location is a solid sphere image.Therefore, the pass-location remains at the same location as the on-focus location.Hence, there is no movement required (see Figure 17a).Next, the second registered location is detected.The proposed method will convert the pass-location to the on-focus location.The left arrow image shown at second registered location is used to determine the new pass-location.Since the on-focus location is located at the left-edge of the grid cell, the pass-location is wrapped around to the rightmost column after moving one location backward (see Figure 17b).Since, the third registered location is detected, the pass-location is converted to the on-focus location.The image shown at the third registered location is used to determine the new The first registered location is a solid sphere image.Therefore, the pass-location remains at the same location as the on-focus location.Hence, there is no movement required (see Figure 17a).Next, the second registered location is detected.The proposed method will convert the pass-location to the on-focus location.The left arrow image shown at second registered location is used to determine the new pass-location.Since the on-focus location is located at the left-edge of the grid cell, the pass-location is wrapped around to the rightmost column after moving one location backward (see Figure 17b).Since, the third registered location is detected, the pass-location is converted to the on-focus location.The image shown at the third registered location is used to determine the new pass-location.The third registered location is a down arrow image.Therefore, the pass-location is one location downward from the on-focus location (see Figure 17c).After that, the fourth registered location is detected.Similarly, the pass-location is converted to the on-focus location.The right arrow image shown at the fourth registered location is used to determine the new pass-location.Since the on-focus location is located at the right-edge of the grid cell, the pass-location is wrapped around to the leftmost column after moving one location forward (see Figure 17d).Again, another registered location is detected.The pass-location is converted to the on-focus location.The up arrow image shown at the fifth registered location is used to determine the new pass-location.Therefore, the pass-location is one location upward from the on-focus location (see Figure 17e).Since there are no more registered locations detected, the pass-location is the final location that the user needs to click to complete the challenge round (see Figure 17f).The final pass-location is shaded in grey.
Symmetry 2019, 11, x FOR PEER REVIEW 13 of 20 pass-location.The third registered location is a down arrow image.Therefore, the pass-location is one location downward from the on-focus location (see Figure 17c).After that, the fourth registered location is detected.Similarly, the pass-location is converted to the on-focus location.The right arrow image shown at the fourth registered location is used to determine the new pass-location.Since the on-focus location is located at the right-edge of the grid cell, the pass-location is wrapped around to the leftmost column after moving one location forward (see Figure 17d).Again, another registered location is detected.The pass-location is converted to the on-focus location.The up arrow image shown at the fifth registered location is used to determine the new pass-location.Therefore, the pass-location is one location upward from the on-focus location (see Figure 17e).Since there are no more registered locations detected, the pass-location is the final location that the user needs to click to complete the challenge round (see Figure 17f).The final pass-location is shaded in grey.It was a known fact that recognition-based graphical password systems have limited password spaces compared to alphanumeric password systems [23,24].Due to the limited password space issues, most graphical password systems are vulnerable to brute-force attack.To reduce brute-force attack while not affecting the user memorability, we have suggested that the user register at least three locations and our proposed system will enforce the user identifying the correct pass-location in three continuous attempts before the user can login.To increase the password spaces of our proposed method, we regenerate a new challenge set for the user regardless of whether the user clicks the pass-location correctly or wrongly in each challenge set.The images shown in the new challenge set are reshuffled using a randomisation algorithm.To restrict the number of trials by brute-force attackers, we have set a maximum trial of three for each user.If the user fails to login after three trials, his/her account will be blocked.This block feature can also reduce guessing attacks.However, during the user study, this feature was disabled so that the participants could have unlimited trials to perform the shoulder-surfing test.

User Study
We conducted a search using Thomson Reuters, Scopus and Google scholar databases.To our knowledge, user studies are the only method used to evaluate the feasibility of a method in reducing/preventing shoulder-surfing attacks [1,5,17,18,20,21,25,26]. Shoulder-surfing occurs when attackers skillfully capture important data/activities such as login password via direct observation or video recording methods.This behaviour cannot be formalised.Therefore, we tried to carefully design and imitate the actual scenarios of direct observation, multiple observations and video recorded shoulder-surfing attacks.To imitate direct observation scenarios, the participants could directly observe the login process.To imitate multiple observations scenarios, the participants were given unlimited chances to request for a live demonstration throughout the testing.To imitate video recorded shoulder-surfing scenarios, the participants were given unlimited chances to watch a pre-recorded video of a login session throughout the testing.They even could record and analyse the live demonstration using their mobile phones.Moreover, the related works (WYSWTE [5], Ho et al. [17], Por et al. [1], 3DGUA [20], Sun et al. [21]), which we are comparing, use user studies to evaluate their methods as well.Thus, we used a user study to evaluate the feasibility of our proposed method in preventing shoulder-surfing attacks.

Hypothesis
Null hypothesis (H0).Our proposed method, which uses the pass-location concept, can prevent shoulder-surfing attackers from obtaining the predefined registered locations regardless of gender.It was a known fact that recognition-based graphical password systems have limited password spaces compared to alphanumeric password systems [23,24].Due to the limited password space issues, most graphical password systems are vulnerable to brute-force attack.To reduce brute-force attack while not affecting the user memorability, we have suggested that the user register at least three locations and our proposed system will enforce the user identifying the correct pass-location in three continuous attempts before the user can login.To increase the password spaces of our proposed method, we regenerate a new challenge set for the user regardless of whether the user clicks the pass-location correctly or wrongly in each challenge set.The images shown in the new challenge set are reshuffled using a randomisation algorithm.To restrict the number of trials by brute-force attackers, we have set a maximum trial of three for each user.If the user fails to login after three trials, his/her account will be blocked.This block feature can also reduce guessing attacks.However, during the user study, this feature was disabled so that the participants could have unlimited trials to perform the shoulder-surfing test.

User Study
We conducted a search using Thomson Reuters, Scopus and Google scholar databases.To our knowledge, user studies are the only method used to evaluate the feasibility of a method in reducing/preventing shoulder-surfing attacks [1,5,17,18,20,21,25,26]. Shoulder-surfing occurs when attackers skillfully capture important data/activities such as login password via direct observation or video recording methods.This behaviour cannot be formalised.Therefore, we tried to carefully design and imitate the actual scenarios of direct observation, multiple observations and video recorded shoulder-surfing attacks.To imitate direct observation scenarios, the participants could directly observe the login process.To imitate multiple observations scenarios, the participants were given unlimited chances to request for a live demonstration throughout the testing.To imitate video recorded shoulder-surfing scenarios, the participants were given unlimited chances to watch a pre-recorded video of a login session throughout the testing.They even could record and analyse the live demonstration using their mobile phones.Moreover, the related works (WYSWTE [5], Ho et al. [17], Por et al. [1], 3DGUA [20], Sun et al. [21]), which we are comparing, use user studies to evaluate their methods as well.Thus, we used a user study to evaluate the feasibility of our proposed method in preventing shoulder-surfing attacks.

Hypothesis
Null hypothesis (H 0 ).Our proposed method, which uses the pass-location concept, can prevent shoulder-surfing attackers from obtaining the predefined registered locations regardless of gender.
Alternative hypothesis (H 1 ).Our proposed method, which uses the pass-location concept, cannot prevent shoulder-surfing attackers from obtaining the predefined registered locations regardless of gender.
A hypothesis was made to evaluate whether our proposed method could prevent shoulder-surfing attackers from obtaining the predefined registered locations regardless of gender.To do so, the following methodology is used.

Participants
A user study was conducted to evaluate the feasibility of the proposed method in preventing shoulder-surfing attacks.108 students from the Department of Computer Science (DCS), Ekiti State University (EKSU), Nigeria were invited to participate in this user study (Group 1).49 participants were male and the rest were female.The total population at DCS, EKSU is 150.According to the required sample size table proposed by Krejcie and Morgan in 1970 [27], 108 is the sufficient sample size for the population of 150 with 95% confidence level with a Margin Error of 5%.This means that if the user study is repeated using the same method, the true population parameter will fall within 5% points of the real population value 95% of the time.
Based on the reviewer's comments, we conducted another user study with 30 participants who are technically competent from Oyo State, Nigeria (Group 2).This group of participants had backgrounds in computer security.They were either IT technical staffs or IT administrative who combat cyber crime or make/strengthen the company's security policy.A sample size of 30, it is often suggested, will produce an approximately normal sampling distribution [28,29].Thus, a sample size of at least 30 was used in this case study to evaluate whether competency level is it a factor in influencing the result of our proposed method in preventing shoulder-surfing attacks.During the shoulder-surfing testing, this group was treated equally with the other participants, where they were required to go through the same procedures before attacking.

Procedure
Initially, the participants were required to go through a tutorial session to ensure they equipped themselves with the knowledge of how our proposed system works.After that, the participants were asked to login and familiarised themselves with the proposed method.The participants were instructed to watch a recorded video of a login session once they had confirmed they could perform the shoulder-surfing testing.Throughout the testing, the participants were allowed to replay the recorded video and they could request for a live demonstration as many times as they required.The participants could record and analyse the live demonstration using their mobile phones.The participants were then given unlimited trials to perform the attack.The results and feedback regarding the methods used by the participants were recorded.

Shoulder-Surfing Testing Result
The shoulder-surfing testing results indicated that none of the participants was able to login although they knew the underlying algorithm and they have been given sufficient time to perform shoulder-surfing attacking (see Table 1).The shoulder-surfing testing results also indicated that none of the participants from Group 2 was able to login, although they were technically competent.This means that the hypothesis testing does not reject H 0 .In another word, the user study results have shown that the proposed method that uses pass-location concept could resist direct observation, multiple observations and video-recorded shoulder-surfing attacks regardless of gender.This claim was made because the participants have gone through a tutorial session and they have familiarised themselves with the proposed method before they could perform the shoulder-surfing test.Moreover, the user study was carefully designed to imitate the actual scenarios of direct observation, multiple observations and video recorded shoulder-surfing attacks.This means that the user study results have shown that our proposed method that uses the pass-location concept could resist direct observation, multiple observations and video-recorded shoulder-surfing attacks regardless of gender and competency level.

Usability Testing Result
Figure 18 shows mean time for ten successful logins.As shown in the chart, as participants became more familiar with the system, the time taken to login decreased.

Usability Testing Result
Figure 18 shows mean time for ten successful logins.As shown in the chart, as participants became more familiar with the system, the time taken to login decreased.Table 2 shows the statistics of the successful login time.As shown in the table, the user study result indicated that the minimum time taken by the participants for a successful login was 4.0 seconds.The maximum time taken by the participants for a successful login was 20.0 seconds.The mean time indicated an average login time of 6.55 seconds.6.55 seconds is the average time taken to login successfully by all the participants after completing ten successful logins.The median login time for all the successful login attempts was 6.0 seconds.This indicates that on the average, 50% of the login attempts required 6.0 seconds to login.The Standard Deviation of 1.63 seconds indicates that the login times were relatively close and not too far apart.This was further buttressed with mode of 6.0 seconds which indicates that majority of the successful login times were 6.0 seconds.Table 2 shows the statistics of the successful login time.As shown in the table, the user study result indicated that the minimum time taken by the participants for a successful login was 4.0 seconds.The maximum time taken by the participants for a successful login was 20.0 seconds.The mean time indicated an average login time of 6.55 seconds.6.55 seconds is the average time taken to login successfully by all the participants after completing ten successful logins.The median login time for all the successful login attempts was 6.0 seconds.This indicates that on the average, 50% of the login attempts required 6.0 seconds to login.The Standard Deviation of 1.63 seconds indicates that the login times were relatively close and not too far apart.This was further buttressed with mode of 6.0 seconds which indicates that majority of the successful login times were 6.0 seconds.

Comparison with Other Selected Related Works
Table 3 shows the login time comparison between the proposed method and other related works.Method [1] reported that it has the minimum login time followed by our proposed method then method [17].In terms of maximum login time, our proposed method had the shortest login time, followed by the method in [1], then the method in [17].On average, our proposed method still had a for the attackers when they shoulder-surf the images/locations clicked by a user.Unlike in the method in [17], where the images/locations clicked by the user could indirectly allow the attackers to obtain useful information for determining the pass-images/locations used when they reversed engineered the authentication processes based on the images/locations clicked.
Lastly, the password space estimation of the related works and our proposed method is presented at Table 5.

Discussion
In this study, we have proposed a method that makes use of the registered locations (something that only the users know) and 5 image directions inspired by Cardinal directions (something that the users can see) to determine a pass-location (new knowledge).
We conducted a search using Thomson Reuters, Scopus and Google scholar databases.To our knowledge, user studies are the only method used to evaluate the feasibility of a method in reducing/preventing shoulder-surfing attacks [1,5,17,18,20,21,25,26]. Shoulder-surfing occurs when attackers skillfully capture the important data/activities such as login password via direct observation or video recording methods.This behaviour cannot be formalised.Moreover, the related works (WYSWTE [5], Ho et al. [17], Por et al. [1], 3DGUA [20], Sun et al. [21]), which we are comparing use user studies to evaluate their methods.Thus, we use a user study to evaluate the feasibility of our proposed method in preventing shoulder-surfing attacks.
The user study was carefully designed to imitate the actual scenarios of direct observation, multiple observations and video recorded shoulder-surfing attacks.The participants were given unlimited trials to perform shoulder-surfing attacks.They could even request the demonstrator demonstrates the authentication process and record the authentication process using their mobile phones for further analysis.The shoulder-surfing testing results indicated that none of the participants was able to login, although they knew the underlying algorithm and they were given sufficient time to perform a shoulder-surfing attack.Hence, we conclude that our proposed method can resist shoulder-surfing attacks in regards to direct observation, multiple observations and video-recorded shoulder-surfing attacks, regardless of gender and competency level.
There are two factors that enable our proposed method to withstand shoulder-surfing attack.Firstly, the registered locations and the images used in our proposed method are meaningful.By combining both types of meaningful information, our proposed method produces useful knowledge.This knowledge is then be used to determine the pass-location in each challenge set.Nevertheless, this new knowledge will not make any sense to the attackers if they obtained it using shoulder-surfing attacks.
Secondly, the images used in our proposed method have higher chances to offset with each other.Offset in this context is referring to "No movement".No movement could only happen if the registered location shown a solid sphere image or the registered locations are made up of left arrow and right arrow images, or up arrow and down arrow images.The idea of offset could increase the password spaces of our proposed method if an attacker intended to guess the registered location used.For example, in Figure 10 the pass-location is located at the solid sphere image.To get such location, a user must either register a location at the solid sphere image (case i), or the registered locations must either shown both left and right arrows (case ii), or both up and down arrows (case iii), or the registered locations are make up of the two or more repetitive case i, ii, or iii individually (case iv) each, or the registered locations are make up of the any combination among case i, ii, iii and iv (case v).This means that, the number of registered locations used to produce a "no movement" result between 1 and N. N is denoted as a positive integer.Therefore, it is clear that our proposed method could improve the password spaces and this would eventually make it more difficult for the attackers to guess how many registered locations a user is using.

Conclusions
This research has expanded the mechanisms available for preventing shoulder-surfing attacks and broadened knowledge on preventing shoulder-surfing attacks.We have proposed and demonstrated a new method in which pass-location is determined by navigating the direction based on the images displayed in the registered positions.This would no doubt contribute greatly to knowledge in graphical passwords, and ultimately information security research.
In future we will still work on exploring more meaningful images and hoping these images can be deployed to determine a pass-image/location in a challenge set.Moreover, we will also look into other suitable ways to deploy the images that have the offset attribute to increase the password space.

Figure 1 .
Figure 1.User interface of "Where You See is What You Enter" (WYSWYE; adopted from [5]).(a) Users need to mentally eliminate the row and column from the challenge grid that does not contain the password images (apple, dog, ice cream and television in this case); (b) Users need to identify the position of the password images in the reduced challenge grid; (c) Users need to click the position of the password images in the respond grid; (d) Example of notations used in the challenge grid and the respond grid to illustrate the weaknesses of WYSWYE.

Figure 1 .
Figure 1.User interface of "Where You See is What You Enter" (WYSWYE; adopted from [5]).(a) Users need to mentally eliminate the row and column from the challenge grid that does not contain the password images (apple, dog, ice cream and television in this case); (b) Users need to identify the position of the password images in the reduced challenge grid; (c) Users need to click the position of the password images in the respond grid; (d) Example of notations used in the challenge grid and the respond grid to illustrate the weaknesses of WYSWYE.

Figure 2 .
Figure 2. User interface of Ho et al.'s system (adopted from [17]).(a) Direction obtained from the cued picture; (b) Determine whether a cued picture is on the half-line; (c) Cued picture is not on the half-line; (d) Cued picture is on the half-line and not the last picture; (e) Cued picture is on the half-line and is the last picture.

Figure 8 .
Figure 8.A sample of registered locations.

Figure 8 .
Figure 8.A sample of registered locations.

Figure 8 .
Figure 8.A sample of registered locations.

Figure 18 .
Figure 18.Mean times for ten successful logins.

Figure 18 .
Figure 18.Mean times for ten successful logins.
, box No. 1 in the respond grid is associated with A, B, F and G boxes in the challenge grid; box No. 2 is associated B, C, G and H boxes; box No. 3 is associated with C, D, H and I boxes; box No. 4 is associated with D, E, I and J boxes; box No. 5 is associated with F, G, K and L boxes; box No. 6 is associated with G, H, L and M boxes; box No. 7 is associated with H, I, M and N boxes; box No. 8 is associated with I, J, N and O boxes; box No. 9 is associated with K, L, P and Q boxes; box No. 10 is associated with L, M, Q and R boxes; box No. 11 is associated with M, N, R and S boxes; box No. 12 is associated with N, O, S and T boxes; box No. 13 is associated with P, Q, U and V boxes; box No. 14 is associated with Q, R, V and W boxes; box No. 15 is associated with R, S, W and X boxes; box No.

Table 1 .
Results of shoulder-surfing prevention according to gender.

Table 1 .
Results of shoulder-surfing prevention according to gender.

Table 2 .
Results of shoulder-surfing prevention according to gender.